


Adapted Privacy Impact Assessment 


Geocaching 


April 20, 2012 


Contact 


Departmental Privacy Office 
U.S. Department of the Interior 
1849 C St, NW 
Mail Stop MIB-7456 
Washington, DC 20240 
(202) 208-1605 
DOI Privacy@ios.doi.gov 


Geocaching 
Adapted Privacy Impact Assessment 
April 20, 2012 








One Privacy Impact Assessment (PIA) may be prepared to cover multiple websites or 
applications that are functionally comparable as long as Agency or Bureau practices are 
substantially similar across each website or application. However, any use of a third-party 
website or application that raises distinct privacy risks requires a complete PIA exclusive to the 
specific website or application. Department-wide PIAs must be elevated to the Office of the 
Chief Information Officer (OCIO) for review and approval. 


SECTION 1: Specific Purpose of the Agency’s Use of the Third-Party Website or 
Application 


1.1 What is the specific purpose of the agency’s use of the third-party website or 
application and how does that use fit with the agency’s broader mission? 


Geocaching is a game in which participants use a Global Positioning System (GPS) 
receiver or GPS-enabled mobile device to hide and find containers, called "geocaches" 
or "caches", anywhere in the world. The cache and its contents may vary, but is often a 
small container containing a logbook that can be signed or small trinkets for geocachers 
to collect. Currently, the largest geocaching web site is Geocaching.com, a commercial 
web site owned by Seattle, Washington, based Groundspeak, Inc. Geocaching.com 
claims to have over 1.7 million active caches and over 5 million participants worldwide. 


Participants who hide caches utilize one of a number of commercial or non-commercial 
web sites to submit posts that notify other users of the hidden caches. The posts can 
provide the cache’s GPS coordinates, or the search for the cache can be made more 
difficult by adding criteria such as requiring users to answer trivia questions before the 
GPS coordinates are revealed or by providing a progressive trail of GPS coordinates 
that must be followed. Users who wish to find hidden caches can start their searches by 
visiting a geocaching web site and performing a search based on various criteria, with an 
address or a zip code often being the primary search filter. 


Users who wish to hide or locate caches using Geocaching.com must be registered 
Geocaching.com users. The registration process requires the submission of a first and 
last name, username, password, and email address. Registered users can modify their 
profiles with additional information, including general geographic location (Such as 
metropolitan area or state), occupation, an avatar and a profile image. Users can 
identify friends who are also Geocaching.com members, and Geocaching.com maintains 
statistics concerning the caches that the user has hidden or found. Through profile 
settings, users can control who sees their information and what information is shared 
with other users. Users can send email messages to other users using 
Geocaching.com’s webmail system (which does not display users’ email addresses) and 
participate in forums on the Geocaching.com web site. Users can also provide 
comments and feedback on postings for specific caches. The Department of the Interior 
(DOI) has no control over content in Geocaching.com, except for official DOI postings. 


DOI will utilize geocaching to place caches at various DO! locations, such as national 
parks. Caches will be strategically located near monuments and other points of interest 
and will include clues and search information designed to make the geocaching process 
an educational experience for players. DOI’s use of geocaching will promote public 
participation and collaboration, bring additional visitors to national parks and other DOI 
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locations, and educate the public about the mission of DOI and its Bureaus and Offices. 
DOI will not use a paper log book at its cache sites or otherwise create paper records 
through geocaching. 


The primary account holder is DOI’s Office of Communications, which will be responsible 
for ensuring the use of the DOI’s official Geocaching.com account is appropriate and all 
information posted is approved for public dissemination. DOI Bureaus and Offices that 
have their own Geocaching.com accounts are responsible for ensuring that all account 
use is appropriate and all information posted is approved for public dissemination in 
accordance with applicable laws, regulations, and DOI privacy, security and social media 
policies. 


Is the agency’s use of the third-party website or application consistent with all 
applicable laws, regulations, and policies? What are the legal authorities that 
authorize the use of the third-party website or application? 


Presidential Memorandum on Transparency and Open Government, January 21, 2009; 
OMB M-10-06, Open Government Directive, December 8, 2009; OMB M-10-23, 
Guidance for Agency Use of Third-Party Websites and Applications, June 25, 2010; the 
Paperwork Reduction Act, 44 U.S.C. 3501; the Clinger-Cohen Act of 1996, 40 U.S.C. 
1401; OMB Circular A-130; 210 Departmental Manual 18; 110 Departmental Manual 5. 


SECTION 2: Any PIl that is Likely to Become Available to the Agency Through the 
Use of the Third-Party Website or Application 


2.1 


2.2 


What PII will be made available to the agency? 


If a Geocaching.com user interacts with DOI through its official Geocaching.com 
account, posts forum comments, sends an email, requests information or submits 
feedback through Geocaching.com, their name, username, profile image, geographic 
location, and other personal information provided by the user may become available to 
DOI. DOI does not collect or share PII from the use of Geocaching.com. However, 
there may be unusual circumstances where there is evidence of criminal activity, a threat 
to the government, a threat to the public, or an employee violation of DOI policy. This 
information may include name, username, profile image, geographic location, or other 
personal information provided by the user, and may be used to notify the appropriate 
agency officials or law enforcement organizations. 


If a user locates a DOI cache and provides a comment or feedback related to the cache 
on Geocaching.com, DOI may obtain information about a user's presence at a particular 
location on a specific date. If the feedback is being provided using a mobile device such 
as a smartphone, the location based information may be provided in real time. 


What are the sources of the PII? 
Potential sources of information are geocaching participants world-wide, including 
members of the general public and Federal employees, and may include other 


government agencies and private organizations. 


3 
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Will the PII be collected and maintained by the agency? 


DOI does not collect or share PII from the use of Geocaching.com. However, there may 
be unusual circumstances where there is evidence of criminal activity, a threat to the 
government, a threat to the public, or an employee violation of DOI policy. This 
information may include name, username, profile image, geographic location, or other 
personal information provided by the user, and may be used to notify the appropriate 
agency officials or law enforcement organizations. 


Any DOI Bureau or Office that uses the Geocaching.com in a way that creates a system 
of records must complete a separate PIA for the specific use and collection of 
information, and must maintain the records in accordance with DOI-08, Social Networks 
system of records notice. DOI Privacy Act system of records notices may be viewed at 
http://www.doi.gov/ocio/information_assurance/privacy/privacy-act-notices-9-06-06.cfm. 


Do the agency’s activities trigger the Paperwork Reduction Act (PRA) and, if so, 
how will the agency comply with the statute? 


No, DOI is not using Geocaching.com to survey the public or in any manner that would 
trigger the requirements of the Paperwork Reduction Act. 


SECTION 3: The Agency’s Intended or Expected Use of the PII 


3.1 


3.2 


Generally, how will the agency use the PII described in Section 2.0? 


DOI does not collect or share PII from the use of Geocaching.com. However there may 
be unusual circumstances where there is evidence of criminal activity, a threat to the 
government, a threat to the public, or an employee violation of DOI policy. This 
information may include name, username, profile image, geographic location, or other 
personal information provided by the user, and may be used to notify the appropriate 
agency officials or law enforcement organizations. 


Provide specific examples of the types of uses to which PII may be subject. 


If a Geocaching.com user interacts with DOI through its official Geocaching.com 
account, posts forum comments, sends an email, requests information or submits 
feedback through Geocaching.com, their name, username, profile image, geographic 
location, and other personal information provided by the user may become available to 
DOI. DOI may use this information to interact with the user or to provide the requested 
information or service. DOI does not collect or share PII from the use of 
Geocaching.com. There may also be unusual circumstances where there is evidence of 
criminal activity, a threat to the government, a threat to the public, or an employee 
violation of DOI policy. This information may include name, username, profile image, 
geographic location, or other personal information provided by the user, and may be 
used to notify the appropriate agency officials or law enforcement organizations. 
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SECTION 4: Sharing or Disclosure of PII 


4.1 


4.2 


With what entities or persons inside or outside the agency will the PII be shared, 
and for what purpose will the PII be disclosed? 


DOI does not collect or share PII from the use of Geocaching.com. However, there may 
be unusual circumstances where there is evidence of criminal activity, a threat to the 
government, a threat to the public, or an employee violation of DOI policy. This 
information may include name, username, profile image, geographic location, or other 
personal information provided by the user, and may be used to notify the appropriate 
agency officials or law enforcement organizations. 


What safeguards will be in place to prevent uses beyond those authorized under 
law and described in this PIA? 


The creation of caches by DOI and posts identifying the caches will be reviewed and 
approved prior to creation and posting on DOI’s office Geocaching.com site. The use of 
DOl’s geocaching accounts will be limited to authorized personnel and controlled by user 
name and password protection, so any privacy risks for the unauthorized disclosure of 
personal data by DOI is mitigated. However, except for official postings DOI does not 
control the content, terms of use or privacy policy on Geocaching.com. There could 
potentially be millions of Geocaching.com users who have access to information posted 
on Geocaching.com, including the general public, Federal employees, private 
organizations, and Federal, State, Tribal and local agencies. 


Geocaching.com requires users to provide their first and last name, a username, and an 
email address (which is not publicly displayed). Additional personal information is 
provided at the user’s discretion. However, the provision of information and user 
consent applies only to terms of use for Geocaching.com. DOI has no control over 
access restrictions or procedures on Geocaching.com, or the personal information 
provided by users. Geocaching.com is responsible for protecting its users’ privacy and 
the security of users’ data. Geocaching.com users are subject to Geocaching.com’s 
Privacy Policy and Terms of Service, and can adjust their profile settings to protect their 
personal information. Users should review Geocaching.com’s Terms of Service and 
Privacy Policy for information regarding the protection of individual users’ privacy and 
security. 


SECTION 5: Maintenance and Retention of PII 


5.1 


How will the agency maintain the Pll, and for how long? 


DOI does not maintain PII on Geocaching.com users. However, for official DOI postings 
retention periods vary as records are maintained in accordance with the applicable 
records schedule for each bureau or office and specific type of record maintained. 
Records published through geocaching activities represent public informational releases 
by DOI, and must be assessed on a case-by-case basis depending on the 
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individual/entity releasing the information and the purpose of the release. There is no 
single records schedule that covers all informational releases to the public at this time. 


Was the retention period established to minimize privacy risk? 


Retention periods may vary depending on agency requirements and the subject of the 
records for the DO! Bureau or Office maintaining the records. In cases where data 
serves to support agency business, it must be filed with the pertinent records they 
support and follow the corresponding disposition instructions. Comments used as 
supporting documentation will utilize the disposition instructions of the records they are 
filed with. 


SECTION 6: How the Agency will Secure PII 


6.1 


6.2 


Will privacy and security officials coordinate to develop methods of securing PII? 


Yes. Privacy and security officials work with the Office of Communications to develop 
methods for protecting individual privacy and securing PII that becomes available to 
DOI. 


How will the agency secure PII? Describe how the agency will limit access to PII, 
and what security controls are in place to protect the PII. 


DOI does not collect or share PII from the use of Geocaching.com. However, there may 
be unusual circumstances where there is evidence of criminal activity, a threat to the 
government, a threat to the public, or employee violation of DOI policy. This information 
may include name, username, profile image, geographic location, or other personal 
information provided by the user, and may be used to notify the appropriate agency 
officials or law enforcement organizations. 


SECTION 7: Identification and Mitigation of Other Privacy Risks 


7.1 


What other privacy risks exist, and how will the agency mitigate those risks? 


Except for official DOI postings, DOI does not have any control over the content in 
Geocaching.com or the personal information posted by Geocaching.com participants, 
including members of the general public and Federal employees. DOI systems do not 
share data with geocaching applications. 


DOl’s Privacy Policy informs the public of how DOI handles personally identifiable 
information that becomes available through interaction on the DOI official website. The 
DOI Privacy Policy also informs the public that DOI has no control over access 
restrictions or privacy procedures on third-party websites and applications, and 
individuals are subject to third-party application’s privacy and security policies. DOI’s 
linking policy informs the public that they are subject to third-party privacy policies when 
they leave a DOI official website to link to third-party sites. 
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Geocaching.com is independently operated and owned by a third-party that controls 
access to user data. Geocaching.com participants control access to their own PII, 
through profile settings and via decisions regarding what personal information they 
provide. DOI has the same access as any member of the public to the personal 
information posted by users on Geocaching.com and has no control over user content 
posted on Geocaching.com. 


Because the game of geocaching is centered around fixed locations, geocaching 
presents additional concerns related to geolocation functions and geospatial privacy 
concerns. Users who create posts indicating that they have found a specific cache are 
creating a public record of their geographic location. The utilization of smartphones can 
create a real time identification of a user’s location. Geolocation-related privacy 
concerns are endemic to geocaching, and geocaching participants have the option not to 
engage in geocaching activities. 


DOI cannot guarantee a specific level of privacy protection or security for third-party 
applications. Users concerned about privacy, including location-based privacy matters, 
may take various steps, including adjusting profile settings, to prevent the public 
dissemination of PII, but DOI makes no representation about the effectiveness of the 
settings options offered by Geocaching.com. Users also can control access to their own 
PII through decisions regarding the personal information they provide, and can decide 
not to participate in Geocaching.com searches. Geocaching.com participants and users 
are advised to review the application’s Terms of Service and Privacy Policy prior to use. 


Does the agency provide appropriate notice to individuals informing them of 
privacy risks associated with the use of third-party website or application? 


DOl’s Privacy Policy informs the public on how DOI handles personally identifiable 
information that becomes available through interaction on the DOI official website. The 
Privacy Policy also informs the public that DOI has no control over access restrictions or 
privacy procedures on third-party websites, and that individuals are subject to third-party 
website privacy and security policies. DOI’s linking policy informs the public that they 
are subject to third-party privacy policies when they leave a DOI official website to link to 
third-party social media web sites. 


DOI will post a privacy notice on its official Geocaching.com profile which will inform 
users that Geocaching.com is a third-party application. It also informs users on how DOI 
handles personally identifiable information that becomes available through user 
interaction and how DOI uses the information. Users of Geocaching.com are directed to 
the DOI Privacy Policy for information handling practices which may be viewed at: 


http://www.doi.gov/privacy.cfm. 


SECTION 8: Creation or Modification of a System of Records 


8.1 


Will the agency’s activities create or modify a “system of records” under the 
Privacy Act of 1974? 
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No. DOI will not collect, maintain or disseminate PII through the use of 
Geocaching.com. Any DOI Bureau or Office that creates a system of records through 
the use of Geocaching.com will complete a separate PIA for that specific use and 
collection of information, and must maintain the records in accordance with DOI-08, 
Social Networks system of records notice, which may be viewed at 
http://www.doi.gov/ocio/information assurance/privacy/privacy-act-notices-9-06-06.cfm. 


8.2 Provide the name and identifier for the Privacy Act system of records. 


DOI does not collect, maintain or disseminate PII obtained through the use of 
Geocaching.com. Any DOI Bureau or Office that creates a system of records through 
the use of Geocaching.com will complete a separate PIA for that specific use and must 
maintain the records in accordance with DOI-08, Social Networks system of records 
notice which may be viewed at 
http://www.doi.gov/ocio/information_assurance/privacy/privacy-act-notices-9-06-06.cfm. 


